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Screening of data packets in a gateway 
Pakettien lajittelu gateway-verkkoelementissa 
Sortering av datapaket i ett gateway-natelement 



BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The invention relates in general to information based on which data packets are 
screened in a network node. It further relates to processing data packets in a net- 
work node based on such information. 

2. Description of Related art 

The public Internet is presently being used more and more for sensitive and mission 
critical communications. Since the basic mechanisms of the Internet were originally 
not designed with secrecy and confidentiality in mind, the hiteraet is an untrusted 
network. Skilled individuals can in many cases eavesdrop or divert 
communications, which requires the use of different kinds of security measures in 
order to use the Internet for sensitive communications. 

The local networks of various organizations and enterprises are nowadays 
connected to the public Internet. To protect a local network, special gateway is 
usually used to connect the local network to a public network. This special gateway 
is often called a firewall and the purpose of a fu-ewall is to prevent authorized 
access to the local network. Typically there is need to restrict access to a local 
network from a public network and/or to restrict access from the local network to 
the public network or further networks connected to the public network. On data 
packet level this means that data packets, which are entering and/or exiting a local 
network, are screened or filtered in a fu-ewall. In addition to filtering data packets a 
gateway element may secme data packets transmitted between, for example, certain 
local networks. In this case the gateway is both a firewall and a VPN (Virtual 
Private Network) gateway. 

Figure 1 illustrates an example with a first local network 12, a second local network 
14 and a public network 10. The public network may be, for example, the Internet. 
The local networks 12, 14 are connected to the public network 10 via gateway 
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entities 16 and 18, respectively. A gateway element 16, 18 may be implemented as 
one network node (server) or as a cluster of nodes. Term gateway element is used in 
this description to refer to a network node or to a cluster of network nodes, where 
data packet screening is typically performed and which connects at least two net- 
5 works (each network having at least one network node) to each other. A gateway 
element may be, for example, a firewall node, a firewall node provided with VPN 
functionality or a cluster of such nodes. 

The screening of data packets is usually done using information specifying at least 
allowed data packet headers and corresponding instructions for processing a data 

10 packet. This information is usually an ordered set of mles. Figure 2 illustrates as an 
example a set 20 of rules, having a first rule Rulel, a second mle Rule2, and so 
forth. The order of the rules in the rule set typically defines the order in which a 
header of a data packet is compared to the rules. The instmctions specified in the 
first rale, to which the header of a data packet matches, states the action to be 

15 carried out for said data packet. The rules are typically hsted in a rule file in the 
order in which they are processed: a rule file thus typically comprises a sequence of 
rales Rulel, Rule2, RuleN. The rule file is typically stored in a gateway 
element, for example in gateway element 16. 

A typical format for the rales is the following: header information, action. The 
20 header information typically involves source address (src), destination address (dst) 
and protocol (prot) relating to a data packet, and a rale typically has the following 
form: src, dst, prot, action. This means that for a data packet, which has the 
indicated header information, the indicated action is carried out. Typically the 
action is 'drop' or 'accept', which means the data packet is discarded or allowed to 
25 proceed, correspondingly. As a data packet is processed, its header information is 
compared to the header information indicated by the rales; the rules are processed in 
the order defined by the ordered set. Typically the last rale in the ordered set of 
rales (e.g. RuleN in Figure 2) is of the following form: any, any, any, drop. This 
means a data packet, whose header information does not match the header 
30 information indicated in any of the preceding rales, is discarded. 

A problem in having an ordered set of rales is that when, for example, a new rale is 
added to the ordered set of rales, the position of the new rale has to be determined 
with care. Otherwise the effect of the rale may be not the desired effect. To find a 
correct position for a new rale may be difficult especially as the list of rales in a rale 
35 file may comprise a vast number of rales. Furthermore, a packet is typically 
compared to large number of rales before the rale to which it matches is found, tn 

i 
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the worst case, a packet is compared to all rules and then discarded on the basis of 
the very last rule. This results in inefficient use of processing resources in a gateway 
element. 

SUMMARY OF THE INVENTION 

5 Object of the invention is to present a flexible method and arrangement for 
providing information for screening data packets. A further object is to present a 
method and arrangement for providing screening information where the effect of the 
rules may be easily determined. A further object is to present an efficient method 
for screening data packets. 

10 Objects of the invention are achieved by using a hierarchical set of rules. 

A method according to the invention is a method for processing data packets in a 
gateway element, said method comprises the steps of: 

- comparing a data packet to screening information comprising a set of rules, and 

- processing a data packet according to a rule belonging to the set of rules, the 
15 header information of said data packet matching the header information of said rule, 

and it is characterized in that 

- said screening information is hierarchically structured so that it comprises a first 
rule, which specifies first header information, and a subset of rules relating to said 
first rule, and in that 

20 - in said step of comparing a data packet, said data packet is compared to said subset 
of rules only if the header infonnation of the data packet matches the header 
information of the first rule. 

A gateway element according to the invention comprises 

- means for storing screening information and 

25 - means for processing data packets, said processing involving comparison of a data 
packet header to header information specified in said screening information, 
and it is characterized in that said means for processing data packets are arranged to 
compare header information of a data packet to screening information comprising a 
first rule, which specifies first header information, and a subset of rules relating to 

30 said fust rule, and arrange to compare a data packet to said subset of rules only if 
the header information of the data packet matches the header information of the first 
rule. 

An arrangement according to the invention comprises at least one gateway element 
and a database entity, and said at least one gateway element comprises 
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- means for storing information for screening data packets and 

- means for processing data packets, said processing involving comparison of a data 
packet header to header information specified in said screening information, 

and said arrangement is characterized in that 
5 - said database entity comprises means for providing information for screening data 
packets, 

- said at least one gateway element further comprises means for receiving at least 
part of said information for screening data packets from said database entity, 

and said means for processing data packets are arranged to compare header 
1 0 information of a data packet to screening information comprising a first rule, which 
specifies first header information, and a subset of mles relating to said first rule, and 
arrange to compare a data packet to said subset of mles only if the header 
information of the data packet matches the header infonnation of the first rule. 

The invention further relates to a computer program comprising program code for 
15 performing all the steps of a method according to the invention when said program 
is run on a computer. 

The invention relates also to a computer program product comprising program code 
means stored on a computer readable medium for performing a method according to 
the invention when said program product is run on a computer. 

20 A data structure according to the invention comprises screening information, and it 
is characterized in that said screening information is hierarchically structured so that 
it comprises a first rule, which specifies first header information, and a subset of 
mles relating to said first rule, said first header information being common to said 
mles belonging to said subset of rules. 

25 Hierarchical strucmre of screening information refers to organizing rules into 
groups of rules, where each rule belonging to a certain group has a certain part of 
the header information common with the other rules belonging to the same group. 
The common part of header information is placed in one rule, and the group of mles 
is made subordinate to this one mle. Typically the screening information is 

30 organized by a person or entity responsible for the management of a gateway 
element. 

Hierarchical structure of screening information clarifies tlie screening information, 
as instmctions for processing certain data packets that have something in common 
in their header information are grouped into sets of subrules. Therefore modification 
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of screening information is easier, when instead of a plain ordered set of rules 
hierarchical rules are used. Furthermore, hierarchical rules allow more efficient 
processing of data packets. If the partial header information specified in a first rale 
does not match a data packet, there is no need to compare the header information of 
5 that data packet to the header information specified in subrules of said first rule. 
Typically the order of rules is decisive in hierarchically stractured screening 
information, and therefore there may be a number of sets of subrules having the 
same common header information in, for example, a file contaiiung screening 
information. 

10 Additionally, a feature of some embodiments of the invention enable distributing 
rights to modify mles. That is, a local entity other than an entity authorized to 
modify all rules may be given right to modify a subset of rules. 

The appended dependent claims describe some preferred embodiments of the 
invention. 

1 5 BRIEF DESCRIPTION OF THE DRAWING 

The invention is now described in more detail with reference to the accompanying 
drawing, where 

Figure 1 illustrates two local networks connected to a public network via gate- 
ways, 

20 Figure 2 illustrates a set of rules for screening data packets according to prior 
art. 

Figure 3 illustrates screening information in accordance with the invention. 

Figure 4 illustrates a feature of screening information advantageously used in 
some embodiments of the invention, 

25 Figure 5 illustrates a second feature of screening information advantageously 
used in some embodiments of the invention. 

Figure 6 illustrates fiirther examples of screening information in accordance 
with the invention. 



Figure 7a illustrates an example of a method for providing screening information 
30 to a gateway element. 
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Figure 7b illustrates an example of a method in accordance with the invention, 
and 

Figure 8 illustrates an example of a gateway element and an arrangement in 
accordance with the invention. 

5 DETAILED DESCRIPTION OF THE INVENTION 

Figures 1 and 2 are discussed in more detail above in connection with the prior art 
description. 

Figure 3 a illustrates screening information 40, which involves hierarchical rules, in 
accordance with the invention. Screening iitformation 40 illustrated in Figure 3 

10 comprises a rule 401, in Figure 3 this rule is Rule3 as an example, which specifies 
only partial header information. This rule 40 i has subordinate rules 402, 403 (in 
Figure 3 rules from Rule3.1 to Rule3.0), which comprise more header information. 
The instruction part in Rule3 gives instmction to proceed to the subordinate rules, 
either impUcitly (absence of instruction part) or explicitely. The header information 

15 in a subordinate rule 402, 403, either alone or together with the partial header 
information presented in rule 401, specifies that header information of a data 
packet, which results in a match and causes the data packet to be processed in 
accordance with the instructions specified in the subordinate rale. 

If the partial header information specified in rale 401 does not match a data packet, 
20 there is no need to compare the header information of that data packet to the header 
information specified in subrales 402, 403. Thus, hierarchical rales allow more 
efficient processing of data packets. 

Screening information may comprise any number of rales having subordinate rales. 
A first set of subordinate rales may relate, for example, to data packets relating to 

25 coming email messages. A second set of subordinate rales may relate, for example, 
to data packets relating to data packets from a public network to a WWW server 
placed behind a gateway element. Consider an example, where a WWW server and 
a mail server are placed in a separate network DMZ, which is separated both from a 
local network and from the public network via a gateway element. It is possible that 

30 both these sets of subrales are subordinate to a certain rale. This certain rale may 
specify, for example, that the subrales are considered when a source of a data 
packet may be any source, destination is DMZ, and protocol may be any protocol. 
In the subrales relating to email, the destination may be further specified to be the 
address of the mail server, and in the subrales relating WWW, the destination in the 
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subrules may be specified to be the address of the WWW server. In addition, as it is 
possible that the mail server is managed by a different entity/person than the WWW 
server, it is possible that the subrules relating to the mail server are modifiable by a 
first entity, and the subrules relating to the WWW server are modifiable by a second 
5 entity. The mail server and the WWW server are used above as clarifying examples; 
the submles may relate to any protocols, servers or network addresses. Also the 
header information may be divided between a rule and its subrules in any suitable 
way. 

Furthermore, a set of subrules may be subordinate to a subrule. In other words, 
10 there may be a subrule inside a subrule. An example of this is given in Figure 3b, 
where screening information 42 is illustrated. Rules 3 and 3.1 (marked with 
reference numbers 401 and 402) are similar in screening information 40 and 42. In 
screening information 42 Rule 3.2, which itself is a subrule of Rule 3, has two 
submles. Rule 3.2 (marked with reference nmnber 421) specifies more detailed 
15 header information than Rule 3, and this header information is common to Rules 
3.2.1. and 3.2.2. Typically it is different from the header information specified in 
Rule 3.1. The parts of the header information, which are different for Rules 3.2.1 
and 3.2.2 (marked with reference numbers 422 and 423), are specified in these 
mles. 

20 Figure 4 illustrates a feature of screening information advantageously used in some 
embodiments of the invention. In addition to an ordered set of rules 20, which is 
modifiable, the screening information 30 comprises a rule template 31, 32, whose 
modification is prevented except from authorized entities. For example, if the rule 
template is fetched from a database during configuration of a gateway element, it is 

25 possible that local modification of the rule template is completely prevented. Only 
an entity authorized to modify a rule template stored in the database may in this 
case modify the rule template. Alternately, it is possible that the modifiable part 20 
of the screening information may be modified locally by a process or an entity 
having rights to perform the operation, but the rule template may be modified only 

30 by a root entity. In this way, the entity authorized to modify the rule template does 
not have to be bothered with all minor changes in the modifiable part of the rule 
file. As the rights to modify different sets of subrules may additionally be given to 
different entities, modifying the mles is flexible, but still only authorized entity may 
modify the most critical mles in die rule template. 

35 As Figure 4 illustrates, a rule template may comprise a first part 31, which has L 
rules from TemplateRulel 301 to TemplateRuleL 302, and a second part 32, which 
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has M-L rules from TemplateRuleL+1 303 to TemplateRuleM 304. The number of 
rules (L or M) may be any integer. The first part 31 of the screening information 
precedes the modifiable part 20, and the second part 32 succeeds it. The modifiable 
part 20 may be placed after any TemplateRuleL, and the place for the modifiable 
5 part 20 is conveniently identified by stating that TemplateRuleL, for example, in 
screening information which is retrieved from a database. 

As typically the most critical mles of screening information are at the begirming 
and/or in the end of screening information, a template of mles prevents 
tmintentional modification of these most critical rules. The last mle in a prior-art 
10 ordered set of mles is typically of the following form: any, any, any, drop. When 
this mle is TemplateRuleM, it cannot be unintentionally modified. 

Figure 5 illustrates a second feature of screening information advantageously used 
in some embodiments of the invention. This second feature is the use of generic 
information portions in screening information. This is especially advantageous, 

15 when screening information, typically rales, is stored in a database and fetched 
therefrom, for example, when a gateway element is configured. A generic 
information portion can represent any information portion in a rale, and it is 
replaced with local information before the rale is used. Such generic information 
portions are often called aliases. Figure 5 presents an example, where rale 500 has - 

20 as part of the information specifying header information of a data packet, an aUas. 
As the rale is, for example, fetched from a database when configuring a first 
gateway element connecting a local network A to a public network, the alias is 
replaced with information localA relating to die local network A (rale 501 in Figure 
5). Correspondingly, as a second gateway element connecting a local network B to a 

25 public network, is configured, the alias is replaced with inforaiation localB relating 
to the local network B (rale 502 ui Figure 5). In many cases, this replacement may 
be performed automatically; for example, by specifying in a configuration file the 
local inforaiation which is to replace certain generic inforaiation portions in 
screening inforaiation. 

30 The use of generic information portions thus allows storing of screening 
information relating to a number of gateway elements to a database and easy 
configuring of those gateway elements. Furthermore, as it is possible to 
automatically update screening information locally stored in gateway elements after 
the screening information in database has been modified, the replacement of aliases 

35 with local information is advantageously carried out automatically as screening 
information is updated. 
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As an example of using generic information portions, some of which are replaced 
with information about the local network and others of which are replaced with 
information about a separate local network, consider rules stating that data packets 
between two local networks A and B are protected with processing them according 

5 to VPN instructions. In this case the rules may be of the following form. A fu-st rule 
has two generic information portions and it reads: aliasl, alias2, any, VPN. A 
second rule has the same two generic information portions, and it reads: alias2, 
aUasl, any, VPN. In the gateway elements connecting the local networks A and B 
to a public network, aliasl may be replaced with local information (say, network A) 

10 and aliasl with information about the other network (network B). 

Figure 6 illustrates fiuiher examples of screening information in accordance with 
the invention. Figure 6a illustrates an example of screening information 64 
involving hierarchical rules and generic information portions. Rule2 comprises a 
first generic information portion, aliasl. The hierarchical rules 641 and 642 also 

15 comprise generic information portions. As an example, subrule 403 does not 
comprise generic information portions. Figure 6b illusti-ates an example of 
screening information 60 involving rule template and hierarchical rules. The rule 
template 61 itself contains hierarchical rules 601, 602 and 603. Furthermore, the 
modifiable part 40 of the screening information also contains hierarchical rules 401, 

20 402, 403. 

Figure 6c illustrates an example of screening information 66 involving rule 
template, hierarchical rules and generic information portions. The first template part 
67 comprises hierarchical rules 661, 662 and 663, which involve a first generic 
information portion (ahasl) and a second generic information portion (alias2). In 
25 addition, the modifiable part 64 of the screening information comprises rule2 
having a third generic information portion (alias3). Furthermore, the modifiable part 
64 comprises hierarchical rules 641, 402 and 403. The rule 641 involves a fourth 
generic information portion (alias4). 

Figure 7a illustrates an example of a method for providing screening information to 
30 a gateway element. In step 701, an address of a database is stored in a gateway 
element. In step 702, fetching of screening information from said database is 
initiated. In step 703 screening information is received firom the database. Steps 702 
and 703 are typically carried out, when the gateway element is configured. If the 
address of a database entity is stored in a gateway element, this initiation of fetching 
35 of screening information and said fetching may be performed automatically. This 
makes configuring of gateway elements easy and straightforward. 
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In step 704 template rules, if there are any, are established. The modification of 
template rules is typically at this step prevented from entities not entitled to modify 
them. In step 705 modifiable part of the screening information is established. In step 
706 aliases in the screening information are detected. They may also be either 

5 template rules or modifiable rules. In step 707, typically if screening information 
comprises rules involving aliases, local information is received. It may be received, 
for example, in the form of a configuration file or fetched from the sanie or from 
another database. In step 708 aliases are replaced with local information. In step 709 
the modifiable part of screening information is modified. This refers, for example, 

10 to a person modifying the modifiable rules during or after configuration of a gate- 
way element. In step 710 updated rules are received from a database entity. This 
step typically involves also the replacement of aliases with local infomation, if the 
updated rules comprise aliases. Any part of the screening information may be 
hierarchically structured, in other words any part of the screening information may 

15 contain subrules. 

Figure 7b illustrates an example of a method according to the invention for 
processing data packets. In this method 750, a data packet is compared to a rule in 
step 751. If the header information of the data packet does not match that of the rule 
(step 752), the data packet is compared to next rule (steps 753 and 751). If the data 

20 packet matches the header information of the current rule in step 752, it is checked 
if the current rule involves subrules (step 754). If the current rule has no subordinate 
rules, the data packet is processed according to the current rule in step 755. If there 
are subrules, the data packet is compared to a subrule in step 756. If the header 
information of the data packet matches that specified in the subrule (and, as checked 

25 before, that of the current rule), the data packet is processed according to the current 
subrule in step 758. If there is no match in step 757, it is checked if the current 
subrule is the last subrule relating to the current rule (step 759). If the current 
subrule is the last subrule, the data packet is compared to the next rule (steps 753 
and 751), otherwise the data packet is compared to the next subrule (steps 760 and 

30 756). 

Figure 8 illustrates an example of a gateway element 80a and an arrangement 85 in 
accordance with the invention. A gateway element 80a comprises 

- means 80 1 for storing said screening information, and 

- means 802 for processing data packets, said processing comprising comparison of 
35 a data packet header to header information specified in said screening information, 

and it is characterized in that said means for processing data packets are arranged to 
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compare header information of a data packet to screening information comprising a 
first rule, which specifies first header information, and a subset of rules relating to 
said first mle, and arrange to compare a data packet to said subset of rules only if 
the header information of the data packet matches the header information of the first 
5 rule. 

A gateway element 80a may further comprise means 803 for detecting generic 
information portions in screening information, for receiving second information and 
for replacing generic information portions in said screening information with said 
second information. Alternatively or additionally it may further comprise means 

10 804 for preventing modification of at least one rule belonging to said information. A 
gateway element 80a may further comprise means 805 for receiving at least part of 
said screening information from a database entity and, additionally, further means 
806 for fetching at least part of said screening information from said database 
entity, said means for fetching being arranged to initiate fetching as part of 

1 5 configuration of said gateway element. 

The means 802-806 are typically implemented as a suitable combination of hard- 
ware and software. They are advantageously implemented using software program 
code means executed by a processor unit. They may implement any of the methods 
described above or any of the features discussed in connection with Figures 3-7. 
20 The means 801 for storing information for screening data packets typically is a file 
on a disk. 

An arrangement 85 comprises at least one gateway element 80a and a database 
entity 81. Said at least one gateway element 80a comprises means 801 for storing 
information for screening data packets and means 802 for processing data packets. 
25 The arrangement 85 is characterized in that 

-said database entity 81 compiises means 82 for providing information for 
screening data packets, and 

- said at least one gateway element 80a further comprises means 805 for receiving 
at least part of said information for screening data packets from said database entity, 
30 and said means 802 for processing data packets are arranged to compare header 
information of a data packet to screening information comprising a first rule, which 
specifies first header information, and a subset of rules relating to said first rule, and 
arranged to compare a data packet to said subset of rules only if the header 
information of the data packet matches the header information of the first rule. 
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The gateway element, which is part of the arrangement 85, may further comprise 
any of the above described means 803, 804 or 806. 

The arrangement 85 in Figure 8 comprises three gateway elements 80a, 80b and 
80c. Typically screening information is stored in the database entity 81. The generic 
5 information portions, which the screening information stored in the database entity 
81 typically comprises, are usually replaced with gateway-element-specific local 
information. This gateway-element-specific information may be stored in the 
database entity 81 and fetched from there, for example, when configuring the 
gateway elements. 



i 
i 
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Claims 

1. A method (750) for processing data packets in a gateway element, said method 
comprising the steps of: 

- comparing (751) a data packet to screening information comprising a set of rules, 
and 

- processing (755) a data packet according to a rule belonging to the set of mles, the 
header information of said data packet matching the header information of said rule, 
characterized in that 

- said screening information is hierarchically structured so that it comprises a first 
rule, which specifies first header information, and a subset of mles relating to said 
first rule, and in that 

- in said step of comparing a data packet, said data packet is compared (754, 756) to 
said subset of mles only if the header information of the data packet matches the 
header information of the first rule. 

2. A method according to claim 1, characterized in that 

- said subset of mles comprises a second rule, which specifies second header 
information, and a second subset of rules, said second subset of rules relating to said 
second rule, and in that 

- in said step of comparing a data packet, said data packet is compared to said 
second subset of mles only, if the header information or the data packet matches tht 
header information of the second rule. 

3. A method according to claim 1, characterized in that 

- said set of mles is an ordered sequence of mles, 

- said subset of mles is an ordered sub-sequence of said ordered sequence of mles, 
and 

- in said step of comparing a data packet, said data packet is compared to the mles 
in the order defmed by the ordered sequence. 

4. A method according to claim 1, characterized in that for said subset of rales, 
an entity which is autiiorized to modify said subset, is specified. 

5. A method according to claim 1, characterized in that at least one mle 
belonging to said subset of rales comprises a generic information portion, said 
generic information portion to be replaced with second mformation before a data 
packet is compared to said at least one mle. 
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6. A method according to claim 1, characterized in that said screening 
information comprises a first part, which is modifiable by an entity authorized to 
configure said gateway element, and a second part, which is modifiable by an entity 
specifically authorized to modify said second part. 

7. A gateway element (80) comprising 

- means (801) for storing screening information and 

- means (802) for processing data packets, said processing involving comparison of 
a data packet header to header information specified in said screening information, 
characterized in that said means (802) for processing data packets are arranged to 
compare header information of a data packet to screening information comprising a 
first rule, which specifies first header information, and a subset of rules relating to 
said fnst rule, and arranged to compare a data packet to said subset of rules only if 
the header information of the data packet matches the header information of the first 
rule. 

8. A gateway element according to claim 7, characterized in that it fiirther 
comprises 

-means (803) for detecting generic information portions in said screening 
iaformation, 

- means (803) for receiving second information, and 

-means (803) for replacing the generic information portion in said screening 
information with said second information. 

9. A gateway element according to claim 8, characterized in that it fiirther 
comprises 

- means (804) for preventing modification of at least one rule belonging said 
information. 

10. A gateway element according to claim 7, characterized in that it fiirther 
comprises 

-means (805) for receiving at least part of said screening information firom a 
database entit> . 

11. A gateway element according to claim 10, characterized in that it fiirther 
comprises 

- means (806) for fetching at least part of said screening information fi-om said 
database entity, said means for fetching being arranged to initiate fetching as part of 
configuration of said gateway element. 
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12. An arrangement (85) comprising at least one gateway element (80) and a 
database entity (81), said at least one gateway element comprising 

- means (801) for storing iirformation for screening data packets and 

- means (802) for processing data packets, said processing involving comparison of 
a data packet header to header information specified in said screening information, 
characterized in that 

- said database entity comprises means (82) for providing information for screening 
data packets, 

- said at least one gateway element further comprises means (805) for receivmg at 
least part of said information for screening data packets from said database entity, 
and said means (802) for processing data packets are arranged to compare header 
information of a data packet to screening information comprising a first rule, which 
specifies first header information, and a subset of rules relating to said first rule, and 
arranged to compare a data packet to said subset of rules only if the header 
information of the data packet matches the header information of the first rule. 

13. A computer program comprising program code for performing aU the steps of 
Claim 1 when said program is run on a computer. 

14. A computer program product comprising program code means stored on a 
computer readable medium for performing the method of Claim 1 when saic' 
program product is run on a computer. 

15. A data structure (40, 60, 64, 66) comprising screening information, charac- 
terized in that said screening information is hierarchically structured so that it 
comprises a first rule (401), which specifies first header information, and a subset of 
rules (402, 403) relating to said first rule, said first header information being 
common to said rules belonging to said subset of rules. 

16. A data structure (42) according to claim 15, characterized in that said subset 
of rules comprises a second rule (421), which specifies second header information, 
and a second subset of rules (422, 423), said second subset of rules relating to said 
second rule, said second header information being common to said rules belonging 
to said second subset of rules. 



(57) Abstract 



A method (750) for processing data packets in a gateway 
element comprises the steps of: comparing (751) a data 
packet to screening information comprising a set of rules, 
and processing (755) a data packet according to a rule 
belonging to the set of rules, the header iirfonnation of said 
data packet matching the header information of said rule. 
The method is characterized in that said screening 
information is hierarchically structured so that it comprises 
a first rule, which specifies first header information, and a 
subset of rules relating to said first rule, and in that in said 
step of comparing a data packet, said data packet is 
compared (754, 756) to said subset of rules only if the 
header information of the data packet matches the header 
information of die first rule. A gateway element (80), an 
arrangement (85), and a data structure (40) comprising 
screening information are also presented. 
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